by

Lori A. Richards

Securities Industry Association
Tempe, Arizona
October 15, 2002

The Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.

Good morning. I'd like to thank the Internal Auditors Division of the SIA for asking me to speak here today. I would also like to thank the SIA for sponsoring conferences such as this one, which bring together regulators and securities industry professionals to discuss key compliance issues of the day.

The last time I spoke to this group was in 1996  so much has changed since then. One change is reflected in your roster of speakers. In 1996, who would have ever guessed that Barry Minko  who orchestrated a financial fraud of major proportions at ZZZ Best, a public carpet cleaning company  would be on the lecture circuit  teaching internal auditors how to detect and eliminate fraud? Mr. Minko's new profession is gratifying to folks at the SEC, particularly to me, as I worked in the SEC office that investigated and sued Mr. Minko. I hope that his tips on fraud detection really can help save companies and their investors from the terrible cost of fraud  or at least that he has some good tips on getting red wine stains out of berber carpet!

The events in our markets today  the collapse of large public companies, the volatility in the markets, the public's unease with securities analysts  underscore the importance of internal audit professionals in our securities markets. Securities firms must do all they can to restore trust and confidence in our markets. In this environment, the role of the internal auditor in detecting fraud and promoting compliance will be more critical than ever.

I want to say clearly at the outset that regulators strongly support your efforts as internal auditors. In fact, I believe that our respective roles are complementary. We both try to ensure that securities firms maintain and enforce robust internal controls ensuring that risks are monitored, measured and controlled, including the risk of a compliance breakdown. As regulators, we do this by conducting regular examinations which hopefully, exist not only to detect bad practices and weak systems that could lead to compliance failures, but also to instill a sense of discipline  the kind of discipline that inevitably comes from the knowledge that inspectors will be arriving at some point to look over operations. The certainty that inspectors will be reviewing operations has created countless conversations along the lines of the following:

Compliance Professional to Businessperson: "Well, we really need to have a better control here, a supervisor should approve those [insert: pricing overrides/investment recommendations/margin exceptions]."

Businessperson: "Gosh, that would take too long/cost too much/put us at a competitive disadvantage."

Compliance Professional: "Well, we're going to be examined for this, and I'd hate to get in trouble with the auditors."

Businessperson: "Alright then, we better implement that control."

I know that conversation rings true to you too, because as auditors and examiners, we have the same effect  we both instill a discipline in firms that helps shore up compliance and internal controls. While SEC examiners don't and can't be onsite within firms all the time, you are. We rely on your efforts to ensure that you're looking over the shoulders of your business people, to ensure that your firm has implemented and is following strong internal controls. As I have said, our mission is a common one.

And, given that common mission, we need to work in partnership with you to address the very real and daunting challenges that face us now. As the SEC moves to implement the requirements of the Sarbanes-Oxley Act, the role of a company's internal controls, and its associated internal audit functions, will become more important than ever. Securities firms that are associated with public companies - and many of your firms are - must be alert to these new requirements, and consider whether and how they will affect your firm. From our perspective, it is our hope that the robust internal audit function that will be necessary to support Sarbanes-Oxley disclosures will not only ensure strong corporate governance and financial reporting, but also will help promote increased attention to securities law compliance.

Today, I wanted to talk with you about some of the areas we are focusing on now in our examinations. First, I will discuss what I call "bread and butter" securities law compliance issues, including the particular sales practice compliance areas we are focusing on currently. Then, I will discuss in greater detail what OCIE has been doing in the internal controls area.

It's my hope that by sharing with you today the areas that we at the SEC are most interested in at the moment, you will use this information to make certain that your firm's internal audit program in these areas is strong.

Supervision and Compliance Controls

A number of well-publicized compliance failures  like Bankers Trust, Kidder Peabody, Barings, and Allied Irish Bank  have highlighted compliance lapses at large, complex firms. Moreover, the recent spate of mergers and acquisitions in the financial services area have highlighted the need for a comprehensive look at the compliance systems of large, complex firms.

Accordingly, we have recently initiated a series of special examinations to review the overall compliance systems of a number of large broker-dealer complexes. That is, we are looking at all compliance procedures and their implementation at all broker-dealers in a complex. These examinations focus on a top-down evaluation of the effectiveness of the broker-dealer's compliance and supervisory systems, as well the implementation of those procedures. We're focusing on the firm's compliance culture  is compliance a high priority within the firm's overall organization? Are all the firm's broker-dealers included in the firm's compliance program? Are sufficient staff and other resources allocated to ensure complete oversight? Is surveillance adequate, particularly at branch offices? How are problem trades detected? Finally, how are complaints and compliance issues recorded and, thereafter, resolved?

As internal auditors, I think that you could assist your firms by reviewing your firm's overall compliance program, and testing how its procedures and controls reasonably promote compliance with the securities laws.

Misappropriation of Customer Assets

A particular focus area right now for examiners, both SEC and SRO examiners, is evaluating procedures to ensure that firm personnel cannot misappropriate customer assets. We have looked at the Frank Gruttadauria matter, in which a Cleveland registered representative stole millions of dollars from his customers, as a textbook case of what none of us want repeated. Examiners will be reviewing what I think should be very basic compliance procedures to prevent theft of client funds and securities:

how does the firm handle checks to and from customers?

how does the firm handle customer changes of address, particularly to P.O. boxes?

how does the firm handle customer authorizations for withdrawing or transferring funds?

what are the firm's controls over the sending of account statements?

does someone other than the registered representative follow up with customers in response to unusual account activity?

does the firm have adequate supervision over producing branch managers?

We expect firms to do all they can to protect against theft by employees, and having good front-end supervisory and compliance procedures is key. The NYSE has also proposed new rules in this area, which would require that firms have adequate internal controls in certain critical areas involving the transmission of customer funds and securities and the supervision of producing branch managers. I believe that these proposed rules are an important step forward in ensuring that customers are protected from unscrupulous brokers. As internal auditors, you can help by reviewing your firm's policies and procedures to prevent and detect misappropriation of client funds, and by testing firm procedures and surveillance systems, particularly at branch offices.

Sales Practices

A continuing focus for SEC examiners is on retail sales practices - unauthorized trading, suitability, disclosure of risks, costs and fees, churning and switching. We've placed particular emphasis on reviewing sales practices for particular products that are new or are popular with retail investors  mutual funds, variable annuities and limited partnerships, and in the coming months, securities futures products.

We're continuing our examination sweep of firms selling variable annuities. Fundamentally, we're concerned that investors don't understand the complexities of this product. More complex products require that registered representatives spend more time explaining them to customers. With "bonus variable annuities," we're worried that this product is being inappropriately recommended to customers to switch from one similar annuity to a bonus annuity, that has a larger payment for the registered representative but may not be beneficial for the customer, because of the customer's investment timeline, age, or investment objectives. We are concerned that many firms we've examined have not implemented sufficient safeguards to prevent this misconduct.

We're also continuing to conduct examinations of branch offices, since sales practices violations occur most often in branches. Last year we conducted a large number of exams of retail branch offices, many for cause and unannounced. We will continue to conduct these examinations in the coming year as well. As internal auditors, any attention you can give to examining and testing your firm's branch office supervisory system will likely assist your firm as when it faces an SEC branch office exam.

Net Capital and Customer Reserve

Intentional and unintentional net capital and customer reserve violations are among the most frequently-identified problems in our exams. With declines in firm revenues, maintaining adequate minimum capital to conduct business is more
important now than ever. Compliance with these rules is mandatory. And, we make enforcement referrals if we find serious or intentional violations. Clearly, this is an area that deserves the attention of the internal auditor.

Best Execution

SEC examiners are continuing to focus on execution practices of broker-dealers and advisers. Over time, we've seen that firms are paying greater attention to conducting a "regular and rigorous analysis of execution quality"  many firms have a formal process to evaluate execution quality  they have designated committees, they review execution quality of various market centers, they have compliance staff review the process, and the analysis is well-documented.

Now retail order routing firms have a new tool to measure and monitor execution quality  all firms should be using the new market quality data required to be provided by market centers under Rule 11Ac1-5. SEC examiners will want to see that firms are using this information to evaluate the quality of the markets to which they route orders and the quality of other alternative markets. We will be asking firms if their routing decisions are consistent with the execution quality data they have available, and that they have, hopefully, carefully analyzed. Order routing decisions must be made based on the ability to get the best possible execution, not on order routing inducements.

Many firms are using "smart routing technology" that allows them to instantaneously route individual customer orders to the market posting the best price or best size (or both), with algorithyms that also factor in past fill rates and price improvement rates. Certainly, "smart routers" go a long way to ensuring that customers are getting the best possible price at any given moment during the trading day.

We would expect that this is an area that warrants scrutiny and testing from a firm's internal audit team. Reviewing your firm's process and data to assess best execution will assist your firm in demonstrating its compliance in this area to SEC staff examiners.

Money Laundering

Securities firms have new responsibilities to prevent and detect money laundering. The SEC has been working cooperatively with the securities self-regulatory organizations, as well as with the SIA, to help firms get educated and get started with their new anti-money laundering requirements under the Patriot Act.

Many provisions of the Patriot Act have already gone into effect, and others go into effect later this year. By now, all broker-dealers should have established their anti-money laundering compliance programs, including: (1) adopting policies, procedures and controls specifically designed to detect and prevent money laundering; (2) designating a compliance officer; (3) initiating ongoing training for employees; and (4) providing for independent tests of the program.

Looking forward, you can expect that examiners will be examining firm's compliance with the new Patriot Act requirement on a rolling basis, as the various new provisions go into effect. For example, we will be looking at firms' account opening procedures, which will soon be subject to new Patriot Act requirements. As proposed, these new rules will require broker-dealers to: (1) verify the identity of any person seeking to open an account, to the extent reasonable and practicable; (2) maintain records of the information used to verify a person's identity; and (3) determine whether the person appears on any lists of known or suspected terrorists or terrorist organizations. In addition, we will also be reviewing firm policies and procedures for suspicious activity reporting, and, after January 1st we'll be looking at compliance with new rules governing suspicious activity reporting. Finally, part of our exam protocol will include review of a firm's due diligence procedures for identifying shell banks, as well as for its correspondent accounts, as the new Treasury requirements go into effect.

This is an area that I believe you will want to review as well.

Regulation S-P and Identity Theft

Another new statute we have been spending a lot of time on is Gramm-Leach-Bliley, and specifically its the new privacy requirements, commonly known in SEC parlance as Regulation S-P. We're placing particular focus on that part of the rule known as the "safeguard rule" which requires firms to have safeguards over the security of information.

"Identity theft" is one of the fastest growing crimes in America. Thieves have been able to gain access to customers' personal information, and pretending to be the unwitting victim, have used the victim's good name and credit. This is often called "pre-texting," because the thieves obtain the information under a false pretext. Identity theft Regulation S-P requires that firms have adequate safeguards to protect customer information from unauthorized access or use. As such, we are currently conducting a sweep of broker-dealers and investment company complexes to evaluate their policies and procedures for protecting customer records and information from people seeking to commit identity theft frauds.

This is another area that internal auditors should be alert to.

Now I'd like to focus for a few minutes on some of the areas that have been receiving special attention by SEC examiners in the current environment.

Analysts' Conflicts of Interest

Earlier this year, the SEC announced that we had commenced a formal inquiry into market practices concerning analysts, jointly with the NYSE and the NASD. We are focusing in this review on several things  first, have analysts issued ratings that are fraudulent? Existing anti-fraud rules prohibit making statements that speaker knows not to be true  that would be fraud, plain and simple. Second, are firms complying with the new rules adopted by the SROs and approved by the SEC in May? Finally, we are reviewing what additional rules may be appropriate.

In this regard, in July, the SEC proposed a new rule  Regulation Analyst Certification  that would require research analysts to certify the truthfulness of their views in their research reports and in public appearances, and disclose whether they have received any compensation related to the specific recommendation provided in those reports and appearances.

Most recently, the SEC and the New York State Attorney General announced a joint effort to bring to a speedy and coordinated conclusion the various investigations concerning analyst research and IPO allocations. As part of this effort, regulators will endeavor in the next few weeks, based on the evidence we have compiled and input from interested parties, to formulate a common plan to address these issues. This plan will then be used as a template to structure appropriate settlements with the broker-dealers that are currently under investigation and/or provide a sound basis for proposing industry-wide rules and regulations, including structural reforms that will be used to govern in these areas. Our goal is to address the research analyst and IPO allocation issues in a joint and unified manner, so that brokerage firms will effect needed changes in a rational and principled manner.

Information Barriers

We are continuing to examine the policies and procedures that firms have adopted to prevent the misuse of non-public information, and we continue to find deficiencies in this area. In this context, one persistent complaint that we hear from buy-side traders is that information about their trades is getting out to others in the marketplace, who may be front running their trades. I caution that, while executing trades for customers necessarily involves finding the other side of the trade, if traders are providing non-public information about customers' trades absent this legitimate need, they may be engaging in insider trading.

I also note that in recent years the SEC has brought an increasing number of insider trading cases involving members of the securities industry. In my view, it makes sense for all firms to reexamine their procedures to prevent the misuse of non-public information to make sure they're airtight. This is also an area where internal auditors can help.

The IPO Process

In August of this year, Chairman Pitt announced that the SEC had initiated a review of the IPO process, including the roles of issuers and underwriters in the price-setting process. Chairman Pitt called on the NYSE and the NASD to begin this review, stating his letter to the SROs:

"[In the 1990s], hot IPOs were heavily oversubscribed, and many investors were frustrated in their attempts to participate in the IPOs. Participation in these IPOs became immensely valuable for both underwriters and customers, inducing aggressive conduct to gain this business. As a result, serious questions arose about the price setting process and the allocation practices of the underwriters of some of these offerings. For example, to obtain IPO allocations some investors paid excessive commissions, or may have been induced to purchase shares in the aftermarket, distorting the market for these securities. In other cases, hot IPO shares may have been allocated to individuals for the purpose of obtaining investment banking business."

The Chairman noted in his letter that the SEC and the SROs continue to investigate possible violations of existing rules, and asked the SROs to undertake a broader review of the IPO process by convening a group of business and academic leaders to study the IPO process. One goal of this effort is to determine whether additional rulemaking is appropriate to strengthen the integrity of the offering process and to protect investors.

IPO allocations are an area that you can expect examiners, both SEC and SRO examiners, to continue to focus on in upcoming examinations.

Hedge Funds

By all reports, there has been a phenomenal growth in investments in hedge funds. These entities are not subject to reporting requirements or registration under the federal securities laws, so we have limited information about how they operate. Earlier this year, our Chairman announced that the SEC would commence a fact-finding investigation to evaluate:

incidents of fraud that we have seen with certain private investment funds, particularly hedge funds;

conflicts associated with managing these vehicles alongside mutual funds; and

marketing these vehicles directly and indirectly to retail investors.

SEC examiners are assisting in this fact-finding investigation, and will be seeking information from broker-dealers as part of this effort.

Internal Controls

Finally, let me shift gears for a moment and talk about internal controls. We have continued to conduct specialized reviews of firms' risk management and internal controls  evaluating the processes and procedures that firms use to measure and manage risks relating to trading, credit, liquidity, and new products. We first began this type of examination in 1995, and have expanded the number of these reviews each year since then. In light of the concentration of customer assets in the largest firms, we are examining large firms' internal controls on a regular basis.

What we're looking for in these exams is essentially a system of controls  written guidelines, a clear delineation of responsibility, and independent and periodic oversight that the guidelines are being followed. Most often our internal controls examinations result in deficiency letters recommending that risk management be more comprehensive, more independent and timelier.

Where risk management (for the broker-dealer and other affiliates) is consolidated at the parent holding company level, we expect broker-dealers to make this information available to us. Our practice is to share the results of these reviews with our colleagues at the Federal Reserve, so that banking regulators will have a complete picture of the holding company including the broker-dealer, and can defer to the SEC as the functional regulator for the broker-dealer.

A new focus of these examinations is on operational risk, particularly on contingency planning for an emergency or a significant business disruption. In this regard, I note that there has been an enormous amount of focus on contingency planning by firms in the industry and by regulators. The SEC, the Federal Reserve Board, the Comptroller of the Currency and the NY State Banking Department recently issued a "Draft White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," which describes sound practices with respect to contingency planning. The SEC is seeking public comment on the scope and application of the sound practices, by October 31st. And, as you may know, both the NASD and the NYSE have proposed rules requiring that firms have adequate contingency plans.

As I mentioned earlier, reviewing firms' internal controls is an important focus area for us, and one where the role of the internal auditor is key. We hope that, as part of these reviews, we will be talking to internal auditors more directly and purposefully than we have in the past, because clearly this is an area where our efforts are complementary.

Before I close today, let me repeat the message I want to leave you with  we need to work together, to face the critical issues and meet the new challenges of our markets today. We want to work with you, and we support your efforts. We support your efforts to detect fraud, to improve internal controls, and to promote securities law compliance within your firms. When the internal audit function supports a strong compliance culture, there are enormous benefits  the health and integrity of the firm is strengthened, and investors  your firm's customers  can have confidence in your firm and, more broadly, in our securities markets.